OCR Issues HIPAA Audit Protocol

On June 26, 2012, the Office for Civil Rights (OCR) posted on its website the audit protocol it will use to assess Health Insurance Portability and Accountability Act (HIPAA) compliance efforts by covered entities and business associates as required by Section 13411 of the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

The purpose of the OCR HIPAA audit program is to analyze processes, controls and policies of selected covered entities and business associates in accordance with Section 13411 of the HITECH Act.  OCR advised that "the audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification," and that the combination of the privacy, security and breach notification requirements audited may vary based on the type of covered entity being audited.

The audit protocol applies to Privacy Rule requirements for (1) notice of privacy practices for protected health information (PHI), (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.  The audit protocol covers Security Rule requirements for administrative, physical, and technical safeguards, and covers requirements for the Breach Notification Rule.